PHP 8.4.21 and 8.3.31: When the null byte becomes a SQL gateway — what the May roll-up means for TYPO3 and Sylius stacks
On 7 May 2026 the PHP team shipped the coordinated security roll-up for PHP 8.2.31, 8.3.31, 8.4.21 and 8.5.6. Each line closes between eight and thirteen vulnerabilities — across FPM, mbstring, SOAP, the OpenSSL binding and the standard library. The most uncomfortable one sits in the PDO Firebird driver: NUL bytes inside quoted strings open a classic SQL injection despite prepared statements (GHSA-w476-322c-wpvm / CVE-2025-14179).
What changed? A broad roll-up for every active 8.x line, all of them pure patch-level updates with no API breaks. Who is affected? Any TYPO3, Sylius or Symfony stack whose Composer pipeline and container image tags do not pick the new version up automatically. What is on the agenda today? Lift the patch level to the 7 May floor, audit image tag discipline in CI, and run a short code search for NUL-byte patterns in any home-grown sanitiser.
The 90-second summary
On 7 May 2026 the PHP team shipped the coordinated security roll-up for PHP 8.2.31, 8.3.31, 8.4.21 and 8.5.6. Each line closes between eight and thirteen vulnerabilities — in FPM, mbstring, SOAP, OpenSSL 4.0 wiring and the standard library. The most interesting item lives in the PDO Firebird driver: NUL bytes inside quoted strings are mis-handled, so anything after the null character is silently dropped from validation — and arrives at the parser unsanitised. SQL injection despite prepared statements, documented as GHSA-w476-322c-wpvm and CVE-2025-14179.
Anyone running a TYPO3 or Sylius stack has the PHP 8.2, 8.3 or 8.4 line under it. All lines have patches available today — plain patch-level updates with no API breaks. Impact class: SQL injection on PDO Firebird, plus memory leaks, use-after-free in SOAP, null-pointer dereference in mbstring, XSS in the FPM status endpoint. For DACH mid-market, the wave touches every CMS and shop host, with or without Firebird in the stack — because the mbstring, SOAP and FPM fixes sit in every request path.
What was patched on 7 May — and where the real hole sits
The May wave is broader than a typical PHP security point release. PHP 8.3.31 alone lifts several classes at once: an XSS vector in the FPM status endpoint, a null-pointer dereference in php_mb_check_encoding(), OpenSSL 4.0 compatibility, several SOAP corrections around stale pointers and use-after-free — and the NUL-byte SQL injection in PDO Firebird. PHP 8.4.21 follows with memory leak fixes in session and Phar handling and a JIT assertion failure. PHP 8.2.31, near end of life as an LTS-style line, picks up the critical fixes as well; PHP 8.5.6 rolls alongside.
The Firebird issue (GHSA-w476-322c-wpvm, tracked as CVE-2025-14179) is the structurally most interesting position. The driver stops its input validation at the first NUL byte, while the query parser then keeps processing whatever follows. Anyone validating input before it reaches the PDO prepared-statement path will often miss this case — the assumption “prepared statements + PDO = safe” does not hold here.
Why “we don’t use Firebird” falls short
If Firebird is not in production, that one vulnerability does not bite. But the May roll-up contains more — and it reveals something we see repeatedly in reviews: PHP security point releases get deferred because “it doesn’t apply to us”. That logic breaks the moment the next wave lands in a component you do use — SOAP, OpenSSL, mbstring, FPM are all in the May wave and live inside every TYPO3 or Sylius application.
The PHP patch discipline is not “critical bugs immediately, the rest later”. It reads: within a point-release line, always run the most recent patch. Whoever stays on 8.3.30 because the Firebird item “isn’t us” keeps the FPM status XSS, the SOAP memory error and the mbstring dereference in production unchanged.
What we concretely recommend
First — and most directly: lift your PHP line to the 7 May floor. For 8.3 that is 8.3.31, for 8.4 it is 8.4.21, for 8.2 (if still in scope) 8.2.31. All jumps are pure patch-level updates without API breaks. In a typical TYPO3 13.4 LTS setup the update is visible with php -v and stays inside the "require": { "php": ">=8.3" } range in composer.json. Sylius and Symfony projects follow the same path.
Second — especially relevant for multi-shop and multi-tenant houses: check whether your CI/CD picks the point-release jump up automatically. We frequently see pipelines that pin PHP versions (php:8.3.30-fpm-alpine) and forget to rotate the tag. Wolfi OS images get rebuilt daily and pull the patch in automatically — proprietary Alpine- or Debian-based images do not, without a refresh job in the pipeline.
Third — the structural question behind the Firebird item: where in your code path do user strings pass through a quoting layer that does not expect end-of-string? The “NUL byte stops validation” pattern is not specific to PDO Firebird; it surfaces in C bindings, in older wrapper libraries and occasionally in home-grown sanitisers. A short code search for \0 and chr(0) in your own repositories is three minutes well spent today.
What we deliberately do not recommend
We do not recommend taking the May wave as a trigger for a PHP major migration. PHP 8.5 has been available since November 2025; anyone on 8.3 LTS has support until December 2027. The jump 8.3 → 8.4 or 8.4 → 8.5 is a separate architecture decision with its own test budget — not a patch-Tuesday reflex.
Equally, we do not recommend leaning on an upstream WAF filter that drops NUL bytes in URL parameters. That is reasonable defence in depth, but no substitute for the patch — whoever keeps the driver in the PHP process keeps the vulnerability.
What we have actually done
In our own operations the May wave is already through. Wherever the customer configuration allows it, we run TYPO3, Sylius and Symfony stacks on PHP 8.5; the Wolfi OS images pull regular point releases in a daily rebuild. For clients on 8.3 LTS or 8.4, the jump to 8.3.31 or 8.4.21 is on the running maintenance line and will be rolled out in the next regular patch sprint: lockfile refresh, image tag rotation, smoke tests against the client frontends.
That the wave does not land on us is not a feat. It is the expected behaviour of a pipeline built for exactly that: daily Wolfi rebuilds, pinned image tags with a refresh job, automated composer.lock diffs against each major line. What reads as “we are through” is three years of pipeline hygiene with clear ownership.
Who is most exposed
TYPO3 houses with long service history, sitting on 8.3 or 8.4, who roll PHP patches on a quarterly cadence for historical reasons. These stacks have SOAP and mbstring paths in every frontend request — the May wave touches all of them and belongs in the May sprint, not the next quarter.
Sylius multi-tenant houses updating their shops from a shared Composer lockfile. A lockfile refresh is not enough here — the PHP engine itself has to reach the 7 May floor. If shops run on different container hosts, check today that every host has rotated to the new image tag.
SMEs with in-house Symfony that build their production containers from older Alpine images. Those images are often referenced as :latest in CI, but :latest does not get rebuilt automatically — without an image refresh job, the pre-May state sits in production and no one notices.
Verdict
The May wave is not a headline event. It is a routine duty — and the kind of duty against which the operational maturity of a PHP stack can be read. Anyone still on 8.3.30 or 8.4.20 today has no longer a technical reason but an open task. The Firebird vulnerability is the loud hook; the mbstring, SOAP and FPM corrections are the structurally more important pieces.
The question is not whether the May wave touches you. It is whether your pipeline is built to pull point releases without escalation — or whether someone has to push it manually today.
Frequently asked questions about the PHP security roll-up of 7 May 2026
We don’t use Firebird at all — does the May update affect us?+
The PDO Firebird item is the loudest position, not the only one. PHP 8.3.31 alone closes eight to thirteen vulnerabilities — among them an XSS in the FPM status endpoint, a null-pointer dereference in php_mb_check_encoding(), several SOAP fixes (stale pointer, use-after-free) and the OpenSSL 4.0 wiring. mbstring, FPM and SOAP sit in every TYPO3 and Sylius request path. Anyone without Firebird is spared one item — not the wave.
Isn’t a composer update enough to reach the May floor?+
No. composer update updates PHP packages, not the PHP interpreter itself. The May wave is about the PHP engine: php -v has to show 8.3.31, 8.4.21, 8.2.31 or 8.5.6. That means refreshing the distribution package (apt, dnf) or the container image (Wolfi tag refresh, Docker Hub image tag). Composer comes after that.
We pin PHP images with :latest — are we automatically safe?+
Not reliably. :latest is a tag, not a guarantee. With Wolfi OS images the tag is rebuilt daily and pulls in the 7 May patch automatically — provided the CI pulls the image fresh on each build (--pull always). With classic Alpine or Debian based images, :latest often stays on a stale layer for days. We recommend explicitly tagged image versions plus a weekly refresh job in the pipeline.
How do I check whether my TYPO3 or Sylius host already runs 8.3.31 or 8.4.21?+
Three commands: php -v on the console for the CLI interpreter, php-fpm -v for the FPM worker (often a different version in real setups), and php -i | grep "PHP Version" on the SAPI the webserver actually uses (via a protected info page). If any of these three is not on the 7 May floor, the CI or server pipeline has not picked the jump up. On Wolfi OS, apk info -v | grep php; on Debian/Ubuntu, dpkg -l | grep php.
Do we have to roll the May update out immediately, or does the next maintenance window suffice?+
It is not a same-day emergency like Dirty Frag or the Apache HTTP/2 double-free — the May wave has no active mass exploitation in the wild. But it belongs in the next regular May patch sprint, not in the quarterly plan. Twelve weeks on a stack with an XSS in the FPM status endpoint and a SOAP use-after-free is a deliberate choice we do not recommend. For KRITIS or NIS-2 obligated clients the line is anyway: within two weeks.
What about PHP 8.2 — do we still get patches?+
Yes, but only for a limited time. PHP 8.2 is in security-only support until 31 December 2026; 8.2.31 is part of the May wave and closes the critical items. For houses still on 8.2, the May wave is the right occasion to plan the 8.3 LTS jump for the Q3 sprint. PHP 8.3 has active support until December 2027, 8.4 until December 2028 — both receive the May wave as regular security point releases.
Related posts
Symfony Process CVE-2026-24739: when an equals sign under Git Bash empties the drive — what German teams should check in the Composer pipeline
Weiterlesen →Databases in BSI's blueprint: what the new practical guide changes operationally for relational, NoSQL and containerised systems
Weiterlesen →When the CMS writes backend passwords in plain text: TYPO3 14.2 and CVE-2026-6553
Weiterlesen →![[Translate to English:] Mattschwarze Server-Edge-Box auf Walnuss-Werkbank mit aufgeklapptem Laptop, der einen TYPO3-Backend-Pagetree zeigt; daneben zwei Kraft-Paper-Module-Cartridges mit Mono-Labels 14.3.1 und 13.4.29, im Hintergrund Mosel-Schiefer-Weinberg-Terrassen im Morgennebel.](/fileadmin/_processed_/c/6/csm_8594429e301ce9c276f63542f71775511bd1e0e5f4402532b644325d439c338f_9a3584a49e.jpg "[Translate to English:] TYPO3 14.3.1 und 13.4.29 — Maintenance-Releases im Betreiberüberblick")
TYPO3 14.3.1 + 13.4.29
Weiterlesen →How clean is your Composer pipeline against the next PHP roll-up?
You run TYPO3, Sylius or an in-house Symfony stack on PHP 8.3 or 8.4 and you are not sure whether your pipeline has picked up the May wave automatically? We review your Composer pin lines, your container image tags and your CI refresh logic — as a two-hour pipeline review with a documented patch status and a clear list of places where :latest makes sense and where it does not.